What is ICMP?
A short reference on ICMP — the internet's control channel, why it has no ports, the message types behind ping and traceroute, what breaks when firewalls drop it, and why blocking all of it black-holes your own connections.
The one-line definition
ICMP (Internet Control Message Protocol) is the IP layer's feedback channel: the protocol routers and hosts use to report what happened to your packets — unreachable, expired, too big, or (on request) simply "I'm here." It is not for carrying data; it is the network talking about the network. Defined by Jon Postel in RFC 792 (1981) and mandatory: RFC 1122 requires every IP host to implement it.
Where it sits (and why it has no ports)
ICMP rides directly inside IP packets, beside TCP and UDP rather than on top of them. That means no ports — you cannot "ICMP to port 80." Messages are addressed to a host, not to an application, because their subject matter is delivery itself, not any particular service. This is also why ping needs raw-socket privileges (or a setuid/capability arrangement) rather than just opening a socket like a normal client.
The message types that matter
| Type | Name | Who sends it, when |
|---|---|---|
| 8 / 0 | Echo Request / Echo Reply | ping's entire mechanism: send an 8, time the 0 |
| 3 | Destination Unreachable | A router or host: no route, or port closed (code 3, the polite "connection refused" of UDP) |
| 3 code 4 | Fragmentation Needed | "Your packet is too big for the next link" — load-bearing, see footguns |
| 11 | Time Exceeded | A router: your packet's TTL hit zero here |
| 5 | Redirect | "There's a better first hop" — mostly disabled today for security |
The two tools built out of it
ping is the minimal use: send Echo Request, receive Echo Reply, report round-trip time. Answered pings prove the host, the route, and both stacks — everything below the application — in one line.
traceroute is the brilliant abuse: send packets with TTL=1, then 2, then 3… Each router that decrements TTL to zero must return a Time Exceeded from its own address — so the error messages, collected in order, are the route. The map is drawn entirely from failure reports. (Full walkthrough.)
What "ping is blocked" actually means
No reply to ping does not mean the host is down. Many networks filter Echo Request at the firewall (Windows blocks inbound by default; plenty of datacenters drop it at the edge). The host may serve HTTPS happily while ignoring ping. Silence on ICMP is evidence, not proof — check a real port before declaring death: curl, nc, or your monitoring's TCP checks.
The footguns
Blocking all ICMP breaks PMTU discovery. The classic overzealous-firewall injury. Path MTU discovery works by sending large packets flagged "don't fragment" and relying on Fragmentation Needed errors to learn the path's limit. Silently drop those errors and large transfers black-hole: the TLS1 handshake works (small packets), then the bulk transfer hangs forever (big packets vanish without diagnosis). If you filter ICMP, permit type 3 — especially code 4.
🔗 Learn more — 1 What is TLS (and how does Let's Encrypt fit)?
ICMPv6 is not optional at all. In IPv6, where fragmentation-by-routers is gone entirely, PMTUD depends wholly on ICMPv6 Packet Too Big — and Neighbor Discovery (IPv6's ARP replacement) is ICMPv6. Block it and the network simply stops working, not subtly.
Rate limiting shapes what you see. Routers deprioritize ICMP generation and response; a hop showing 30% "loss" in traceroute while later hops show none is a router being stingy with error messages, not a lossy link. Trust end-to-end results over per-hop noise.